Re: [TLS] Twist security for brainpoolp256r1

Oleg Gryb <oleg_gryb@yahoo.com> Tue, 11 November 2014 22:45 UTC

Return-Path: <oleg_gryb@yahoo.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 468F61A1B5B for <tls@ietfa.amsl.com>; Tue, 11 Nov 2014 14:45:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.406
X-Spam-Level:
X-Spam-Status: No, score=0.406 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NhRZ1LhW4vtE for <tls@ietfa.amsl.com>; Tue, 11 Nov 2014 14:45:04 -0800 (PST)
Received: from nm11-vm1.bullet.mail.bf1.yahoo.com (nm11-vm1.bullet.mail.bf1.yahoo.com [98.139.213.152]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E66801A1B56 for <tls@ietf.org>; Tue, 11 Nov 2014 14:45:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1415745903; bh=mcAjsLsn5oGu6jiiNp9rmgc5mNGxHjjNE1hEbzbhviY=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=i7vUn5EmiqNHbbd/STCHXEshKTv9nmEDTeQo+GJ8nN+xMVq/3HpZbyoqV0FIljtLQ2O6YI0XXZag+r0k//K1ndBeY7uw6ThngAofTASkwh5clKv6Xqs/9dNIgaXFIxPu9HWj2txJSZTVKhgEf6XfORjY9S35gAnLT4aVl+yhPToStXvKttzTj7fv+HfKU0wwHybJStvVhEoTBzlex0jzHALPb7EiYsWE3jZf6nvHXkae5YVE2qdfdVUbHDF46hOjoFYDwoZiDXejgsHs4rVvUU2xuNR70MxFldk1a/N9hzmJ71ES2VQthtWFIDXTPwbbecW9KwMDmnXZXAwKiy6L8w==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048; d=yahoo.com; b=ny0cIHi45otuNHnlzgtikYNooI3I8EjMh2fOfe7vP1NH4kdtDW4nw0rdsXEs98uhljRn4/EbRjn5QPfIj9wdsIGxTrWf74tenlcg/DpY4MU4zqoH+d5sjUOj4ZJdF6s/T4w/LUfyPLE7TTAnW3Gm6fGXEoYFmWHe4i1R7ci2bk33nELz/q0rhnxg8khl10T4ATT3XG7LvTQ0MyMYWqR2Vu9M3C5VWkQo7Itf4Wt2CdfvK0pbXm3uToWlEwCkK6JU/q0nIRSrB76+YflWm0J6envQlpiFKYrIHjPRRsLH4ByJICxfWuxxQrIjeSYJl/f1LPUqdq0QsM74RJXoClK09g==;
Received: from [66.196.81.174] by nm11.bullet.mail.bf1.yahoo.com with NNFMP; 11 Nov 2014 22:45:03 -0000
Received: from [98.139.212.243] by tm20.bullet.mail.bf1.yahoo.com with NNFMP; 11 Nov 2014 22:45:03 -0000
Received: from [127.0.0.1] by omp1052.mail.bf1.yahoo.com with NNFMP; 11 Nov 2014 22:45:02 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 993118.46423.bm@omp1052.mail.bf1.yahoo.com
X-YMail-OSG: gdtQyuIVM1lOGifHzVgcoYoiCNOX7Yxijh5a8pdn.qY6skOm38BfC6yeu_evPW. eNvbHTLzEA.bZf47cpsR0iQy9dUJfL5VW4GuktnAu3DyShzEmRz8F3Ly2FAF0ztsa_CueMwA.QQt MlKLK0hg6THLDZXEQorX7VjExH6dHFDRMcXnyL.dYqCetNjGznga5LKlENjHI.CIzoMfLUEIcCES VXaYE5dsl4IfwGPYsdmldo6t9MxMu8bjNblV0INeSj8uiAz8YcJrknpmucVO26lO0YjxqOACdECZ RZEFMJMXIbHowPQchPCU_lWONvfqoCtmmyd1hCC9YBz9AN4bEyv2v8OJv4aZcox0UsdDmz8QbBnQ aPANio9hZLM6wyfImAftxaq3GAcFA7xvXRjEqgi3APilPTEKt43o88o4MDN0hPu7C8WxHZDgsAum oF784hlBnH9hRWxXX6dyekfC.jxcZm926iNmDnDF353GjEuDwOhPlxSJ94J3RweYKzTTQ
Received: by 66.196.80.122; Tue, 11 Nov 2014 22:45:02 +0000
Date: Tue, 11 Nov 2014 22:44:03 +0000 (UTC)
From: Oleg Gryb <oleg_gryb@yahoo.com>
To: =?UTF-8?Q?Manuel_P=C3=A9gouri=C3=A9-Gonnard?= <mpg@polarssl.org>, Oleg Gryb <oleg@gryb.info>, Johannes Merkle <johannes.merkle@secunet.com>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <326376278.627731.1415745843824.JavaMail.yahoo@jws10697.mail.bf1.yahoo.com>
In-Reply-To: <546285BB.6070600@polarssl.org>
References: <546285BB.6070600@polarssl.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/UBfgUGD7d0jLeSFo8LkKzg54l2Q
Subject: Re: [TLS] Twist security for brainpoolp256r1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Oleg Gryb <oleg@gryb.info>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Nov 2014 22:45:05 -0000

> It's the cost of an attack for an attacker who can force you to accept a 

> point
> that is not on the curve but on its non-quadratic twist.
> 
> In the context of TLS (with the currently available curves and point formats)
> what safecurves calls "twist security" is totally irrelevant: either 
> the
> implementation validates that points are on the curve, or you're vulnerable 
> to
> an invalid curve attack which is much more powerful than a twist attack.
> 
> Any decent implementation (which includes OpenSSL and some others) of ECC with
> TLS will check that points belong on the intended curve.


It answers my question, thanks.

>>  The last question that I have is related to brainpool curves 
> implementations in openssl.
> 
> This question is more suited to the OpenSSL list, as it is specific to this
> implementation. This list is about the protocol.


What about EC arithmetic optimization specific to a curve? Is it a kind of qs that is appropriate for this forum? If it is, probably somebody can provide pointers about optimizations that have been already implemented for the curve in the subject. I think, efficiency should be an important consideration of this protocol.